243 lines
8.2 KiB
Plaintext
243 lines
8.2 KiB
Plaintext
|
#!/bin/bash
|
||
|
#
|
||
|
# Copyright Hari Sekhon 2007
|
||
|
#
|
||
|
# This program is free software; you can redistribute it and/or modify
|
||
|
# it under the terms of the GNU General Public License as published by
|
||
|
# the Free Software Foundation; either version 2 of the License, or
|
||
|
# (at your option) any later version.
|
||
|
#
|
||
|
# This program is distributed in the hope that it will be useful,
|
||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
# GNU General Public License for more details.
|
||
|
#
|
||
|
# You should have received a copy of the GNU General Public License
|
||
|
# along with this program; if not, write to the Free Software
|
||
|
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
||
|
#
|
||
|
|
||
|
# Nagios Plugin to list all currently logged on users to a system.
|
||
|
|
||
|
# Modified by Rob MacKenzie, SFU - rmackenz@sfu.ca
|
||
|
# Added the -w and -c options to check for number of users.
|
||
|
|
||
|
|
||
|
version=0.3
|
||
|
|
||
|
# This makes coding much safer as a varible typo is caught
|
||
|
# with an error rather than passing through
|
||
|
set -u
|
||
|
|
||
|
# Note: resisted urge to use <<<, instead sticking with |
|
||
|
# in case anyone uses this with an older version of bash
|
||
|
# so no bash bashers please on this
|
||
|
|
||
|
# Standard Nagios exit codes
|
||
|
OK=0
|
||
|
WARNING=1
|
||
|
CRITICAL=2
|
||
|
UNKNOWN=3
|
||
|
|
||
|
usage(){
|
||
|
echo "usage: ${0##*/} [--simple] [ --mandatory username ] [ --unauthorized username ] [ --whitelist username ]"
|
||
|
echo
|
||
|
echo "returns a list of users on the local machine"
|
||
|
echo
|
||
|
echo " -s, --simple show users without the number of sessions"
|
||
|
echo " -m username, --mandatory username"
|
||
|
echo " Mandatory users. Return CRITICAL if any of these users are not"
|
||
|
echo " currently logged in"
|
||
|
echo " -b username, --blacklist username"
|
||
|
echo " Unauthorized users. Returns CRITICAL if any of these users are"
|
||
|
echo " logged in. This can be useful if you have a policy that states"
|
||
|
echo " that you may not have a root shell but must instead only use "
|
||
|
echo " 'sudo command'. Specifying '-u root' would alert on root having"
|
||
|
echo " a session and hence catch people violating such a policy."
|
||
|
echo " -a username, --whitelist username"
|
||
|
echo " Whitelist users. This is exceptionally useful. If you define"
|
||
|
echo " a bunch of users here that you know you use, and suddenly"
|
||
|
echo " there is a user session open for another account it could"
|
||
|
echo " alert you to a compromise. If you run this check say every"
|
||
|
echo " 3 minutes, then any attacker has very little time to evade"
|
||
|
echo " detection before this trips."
|
||
|
echo
|
||
|
echo " -m,-u and -w can be specified multiple times for multiple users"
|
||
|
echo " or you can use a switch a single time with a comma separated"
|
||
|
echo " list."
|
||
|
echo " -w integer, --warning integer"
|
||
|
echo " Set WARNING status if more than INTEGER users are logged in"
|
||
|
echo " -c integer, --critical integer"
|
||
|
echo " Set CRITICAL status if more than INTEGER users are logged in"
|
||
|
echo
|
||
|
echo
|
||
|
echo " -V --version Print the version number and exit"
|
||
|
echo
|
||
|
exit $UNKNOWN
|
||
|
}
|
||
|
|
||
|
simple=""
|
||
|
mandatory_users=""
|
||
|
unauthorized_users=""
|
||
|
whitelist_users=""
|
||
|
warning_users=0
|
||
|
critical_users=0
|
||
|
|
||
|
while [ "$#" -ge 1 ]; do
|
||
|
case "$1" in
|
||
|
-h|--help) usage
|
||
|
;;
|
||
|
-V|--version) echo $version
|
||
|
exit $UNKNOWN
|
||
|
;;
|
||
|
-s|--simple) simple=true
|
||
|
;;
|
||
|
-m|--mandatory) if [ "$#" -ge 2 ]; then
|
||
|
if [ -n "$mandatory_users" ]; then
|
||
|
mandatory_users="$mandatory_users $2"
|
||
|
else
|
||
|
mandatory_users="$2"
|
||
|
fi
|
||
|
shift
|
||
|
else
|
||
|
usage
|
||
|
fi
|
||
|
;;
|
||
|
-b|--blacklist) if [ "$#" -ge 2 ]; then
|
||
|
if [ -n "$unauthorized_users" ]; then
|
||
|
unauthorized_users="$unauthorized_users $2"
|
||
|
else
|
||
|
unauthorized_users="$2"
|
||
|
fi
|
||
|
shift
|
||
|
else
|
||
|
usage
|
||
|
fi
|
||
|
;;
|
||
|
-a|--whitelist) if [ "$#" -ge 2 ]; then
|
||
|
if [ -n "$whitelist_users" ]; then
|
||
|
whitelist_users="$whitelist_users $2"
|
||
|
else
|
||
|
whitelist_users="$2"
|
||
|
fi
|
||
|
shift
|
||
|
else
|
||
|
usage
|
||
|
fi
|
||
|
;;
|
||
|
-w|--warning) if [ "$#" -ge 2 ]; then
|
||
|
if [ $2 -ge 1 ]; then
|
||
|
warning_users=$2
|
||
|
fi
|
||
|
shift
|
||
|
else
|
||
|
usage
|
||
|
fi
|
||
|
;;
|
||
|
-c|--critical) if [ "$#" -ge 2 ]; then
|
||
|
if [ $2 -ge 1 ]; then
|
||
|
critical_users=$2
|
||
|
fi
|
||
|
shift
|
||
|
else
|
||
|
usage
|
||
|
fi
|
||
|
;;
|
||
|
*) usage
|
||
|
;;
|
||
|
esac
|
||
|
shift
|
||
|
done
|
||
|
|
||
|
mandatory_users="`echo $mandatory_users | tr ',' ' '`"
|
||
|
unauthorized_users="`echo $unauthorized_users | tr ',' ' '`"
|
||
|
whitelist_users="`echo $whitelist_users | tr ',' ' '`"
|
||
|
|
||
|
# Must be a list of usernames only.
|
||
|
userlist="`who|grep -v "^ *$"|awk '{print $1}'|sort`"
|
||
|
usercount="`who|wc -l`"
|
||
|
|
||
|
errormsg=""
|
||
|
exitcode=$OK
|
||
|
|
||
|
if [ -n "$userlist" ]; then
|
||
|
if [ -n "$mandatory_users" ]; then
|
||
|
missing_users=""
|
||
|
for user in $mandatory_users; do
|
||
|
if ! echo "$userlist"|grep "^$user$" >/dev/null 2>&1; then
|
||
|
missing_users="$missing_users $user"
|
||
|
exitcode=$CRITICAL
|
||
|
fi
|
||
|
done
|
||
|
for user in `echo $missing_users|tr " " "\n"|sort -u`; do
|
||
|
errormsg="${errormsg}user '$user' not logged in. "
|
||
|
done
|
||
|
fi
|
||
|
|
||
|
if [ -n "$unauthorized_users" ]; then
|
||
|
blacklisted_users=""
|
||
|
for user in $unauthorized_users; do
|
||
|
if echo "$userlist"|sort -u|grep "^$user$" >/dev/null 2>&1; then
|
||
|
blacklisted_users="$blacklisted_users $user"
|
||
|
exitcode=$CRITICAL
|
||
|
fi
|
||
|
done
|
||
|
for user in `echo $blacklisted_users|tr " " "\n"|sort -u`; do
|
||
|
errormsg="${errormsg}Unauthorized user '$user' is logged in! "
|
||
|
done
|
||
|
fi
|
||
|
|
||
|
if [ -n "$whitelist_users" ]; then
|
||
|
unwanted_users=""
|
||
|
for user in `echo "$userlist"|sort -u`; do
|
||
|
if ! echo $whitelist_users|tr " " "\n"|grep "^$user$" >/dev/null 2>&1; then
|
||
|
unwanted_users="$unwanted_users $user"
|
||
|
exitcode=$CRITICAL
|
||
|
fi
|
||
|
done
|
||
|
for user in `echo $unwanted_users|tr " " "\n"|sort -u`; do
|
||
|
errormsg="${errormsg}Unauthorized user '$user' detected! "
|
||
|
done
|
||
|
fi
|
||
|
|
||
|
if [ $warning_users -ne 0 -o $critical_users -ne 0 ]; then
|
||
|
unwanted_users=`who`
|
||
|
if [ $usercount -ge $critical_users -a $critical_users -ne 0 ]; then
|
||
|
exitcode=$CRITICAL
|
||
|
elif [ $usercount -ge $warning_users -a $warning_users -ne 0 ]; then
|
||
|
exitcode=$WARNING
|
||
|
fi
|
||
|
OLDIFS="$IFS"
|
||
|
IFS=$'\n'
|
||
|
for user in $unwanted_users; do
|
||
|
errormsg="${errormsg} --- $user"
|
||
|
done
|
||
|
IFS="$OLDIFS"
|
||
|
fi
|
||
|
|
||
|
if [ "$simple" == "true" ]
|
||
|
then
|
||
|
finallist=`echo "$userlist"|uniq`
|
||
|
else
|
||
|
finallist=`echo "$userlist"|uniq -c|awk '{print $2"("$1")"}'`
|
||
|
fi
|
||
|
else
|
||
|
finallist="no users logged in"
|
||
|
fi
|
||
|
|
||
|
if [ "$exitcode" -eq $OK ]; then
|
||
|
echo "USERS OK:" $finallist
|
||
|
exit $OK
|
||
|
elif [ "$exitcode" -eq $WARNING ]; then
|
||
|
echo "USERS WARNING: [users: "$finallist"]" $errormsg
|
||
|
exit $WARNING
|
||
|
elif [ "$exitcode" -eq $CRITICAL ]; then
|
||
|
echo "USERS CRITICAL: [users: "$finallist"]" $errormsg
|
||
|
exit $CRITICAL
|
||
|
else
|
||
|
echo "USERS UNKNOWN:" $errormsg"[users: "$finallist"]"
|
||
|
exit $UNKNOWN
|
||
|
fi
|
||
|
|
||
|
exit $UNKNOWN
|